The suspected scammers are using leaked order data to personalize messages, making the emails much harder to dismiss.
Cybercriminals have reportedly launched a targeted phishing campaign using a fake merger between cryptocurrency hardware wallet manufacturers Ledger and Trezor.
This follows a recent data leak at Ledger’s third-party e-commerce partner, Global-e.
Details of the Phishing Scam
On January 5, Ledger disclosed to its customers via email that Global-e had suffered a data breach, exposing customer information, including names, email addresses, phone numbers, and order details. Shortly after the incident was made public, affected users began receiving phishing emails falsely claiming that the two companies had merged. Screenshots of the fake communications have since been shared on X.
“We are pleased to announce that after months of strategic discussions, Ledger and Trezor have finalized a merger agreement. This landmark partnership unites two industry leaders with a shared vision of providing the highest standard of security for digital asset management,” read the message.
The email further stated that the decision would allow the two firms to accelerate innovation, expand their product offerings, and continue their commitment to protecting clients’ assets. Recipients were also instructed to “migrate” their wallets by entering their 24-word recovery phrases on a fake website designed to mimic official branding.
In response to the attack, Global-e has reportedly launched an internal investigation into the hack and is working with cybersecurity experts to assess the scope of the incident. Meanwhile, the company has not disclosed the exact number of affected users but confirmed that the breach was limited to contact and order information.
Ledger has also reportedly notified relevant data protection authorities and is cooperating with law enforcement agencies.
A History of Data Breaches
This episode is not the first time Ledger has been involved in such a scandal. In 2020, attackers also accessed its e-commerce and marketing databases, exposing the personal information of hundreds of thousands of users.
You may also like:
The disclosed data included email addresses, names, phone numbers, and physical addresses, with affected users later reporting receiving phishing emails and threats. At the time, the wallet manufacturer faced public criticism for its delayed disclosure and inadequate safeguards, which resulted in a formal lawsuit being filed against it and Shopify.
The company later confirmed that a rogue Shopify employee was responsible for leaking the personal details of approximately 20,000 customers. This was followed by a separate attack later that year, in which the data of about 292,000 customers was published online.
More recently, the firm suffered another security incident, resulting in the theft of approximately $600,000 in cryptocurrency after a wallet drainer was inserted into a library used by multiple decentralized applications to connect to their devices.
SECRET PARTNERSHIP BONUS for CryptoPotato readers: Use this link to register and unlock $1,500 in exclusive BingX Exchange rewards (limited time offer).